Amazon Linux 2 : freetype (ALAS-2025-2806)

🗓️ 01 Apr 2025 00:00:00Reported by TenableType

Freetype before version 2.8-14 is vulnerable to multiple security issues per ALAS-2025-2806.

Reporter	Title	Published	Views	Family All 291
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Rapid Infrastructure Automation	28 May 202514:39	–	ibm
IBM Security Bulletins	Security Bulletin: FreeType Remote Code Execution Vulnerability affects IBM Watson Machine Learning Accelerator on Cloud Pak for Data	5 May 202521:14	–	ibm
IBM Security Bulletins	Security Bulletin: IBM WebSphere Automation is vulnerable to an arbitrary code execution (CVE-2025-27363).	30 Apr 202513:12	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in FreeType affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.	25 Sep 202511:52	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Pak for Business Automation images repackage a vulnerable version of freetype - CVE-2025-27363	6 May 202508:30	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Automation Decision Services for October 2025 - Multiple CVEs addressed	3 Dec 202506:06	–	ibm
IBM Security Bulletins	Security Bulletin: Red Hat OpenShift on IBM Cloud is affected by a FreeType Remote Code Execution security vulnerability (CVE-2025-27363)	7 May 202514:32	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security QRadar EDR Software contains multiple vulnerabilities	20 May 202521:07	–	ibm
IBM Security Bulletins	Security Bulletin: Several Security Vulnerabilities have been discovered in IBM Security Verify Directory Appliance	7 Oct 202518:56	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cognos PowerPlay has addressed a vulnerability in FreeType (CVE-2025-27363)	29 Apr 202516:06	–	ibm

Source	Link
alas	www.alas.aws.amazon.com/AL2/ALAS-2025-2806.html
alas	www.alas.aws.amazon.com/cve/html/CVE-2025-23022.html
alas	www.alas.aws.amazon.com/cve/html/CVE-2025-27363.html
alas	www.alas.aws.amazon.com/faqs.html
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALAS-2025-2806.
##

include('compat.inc');

if (description)
{
  script_id(233690);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/03/10");

  script_cve_id("CVE-2025-23022", "CVE-2025-27363");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2025/05/27");
  script_xref(name:"IAVA", value:"2025-A-0161-S");

  script_name(english:"Amazon Linux 2 : freetype (ALAS-2025-2806)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The version of freetype installed on the remote host is prior to 2.8-14. It is, therefore, affected by multiple
vulnerabilities as referenced in the ALAS2-2025-2806 advisory.

    FreeType 2.8.1 has a signed integer overflow in cf2_doFlex in cff/cf2intrp.c. (CVE-2025-23022)

    An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph
    structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short
    value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of
    a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer.
    This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
    (CVE-2025-27363)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/AL2/ALAS-2025-2806.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2025-23022.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2025-27363.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
  script_set_attribute(attribute:"solution", value:
"Run 'yum update freetype' to update your system.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-23022");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/01/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/03/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/04/01");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:freetype");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:freetype-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:freetype-demos");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:freetype-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Amazon Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "2")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var pkgs = [
    {'reference':'freetype-2.8-14.amzn2.1.4', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'freetype-2.8-14.amzn2.1.4', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'freetype-2.8-14.amzn2.1.4', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'freetype-debuginfo-2.8-14.amzn2.1.4', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'freetype-debuginfo-2.8-14.amzn2.1.4', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'freetype-debuginfo-2.8-14.amzn2.1.4', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'freetype-demos-2.8-14.amzn2.1.4', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'freetype-demos-2.8-14.amzn2.1.4', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'freetype-demos-2.8-14.amzn2.1.4', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'freetype-devel-2.8-14.amzn2.1.4', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'freetype-devel-2.8-14.amzn2.1.4', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'freetype-devel-2.8-14.amzn2.1.4', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  var cves = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freetype / freetype-debuginfo / freetype-demos / etc");
}

10 Mar 2026 00:00Current

7.2High risk

Vulners AI Score7.2

CVSS 3.18.1

EPSS0.70344

SSVC